An authentication credential is generally considered to be an artifact submitted as a means of identity attestation. An electronic authentication credential is transmitted through a computer network with the purpose of allowing a party to gain access to a remote computer system. A commonly used authentication credential is the password; however, adversaries routinely defeat passwords through keyboard loggers and other techniques. Regulators such as the Federal Financial Institutions Examination Council (FFIEC) permit banks to continue to use passwords, but the banks must augment with additional credentials. Even if an adversary were to defeat one credential, then the additional credentials would constitute further hurdles that would hopefully stop the attack.
Security practitioners typically classify authentication credentials in four broad categories:                Something you know        Something you have        Something you are        Somewhere you are        
Best practice recommendation employ an authentication credential from at least two of the first three categories. Service providers such as banks often wish to continue leveraging passwords or other means of proving “something you know” due to their inherently low cost and simple means of distribution; however, in some cases, banks switch from passwords to biometrics such as fingerprint sensors. In response to the FFIEC ruling mandating multi-factor authentication, the second most popular factor employed in on-line banking is “something-you-have” implemented through an identification of the user's machine. If an adversary were to steal a user's password but launch an attack from the adversary's (non-registered) machine, then the adversary would not gain access due to the failure of an authentication credential.
Subsequent to the FFIEC ruling, many banks adopted machine identification. The banks placed a cookie in the user's browser and prohibited access unless the client's machine could prove possession of the cookie. Adversaries quickly learned to defeat the cookie through malware. The FFIEC issued a subsequent ruling that disallowed cookies unless they were augmented with additional controls. Financial Services is one of the first industries to execute the upgrade from one-factor authentication to multiple factors of authentication. Whether user biometrics or machine identification is used for authentication, in both cases, the second factor is something-you-have as offered through human biometric (e.g. user fingerprint, retina scan, etc.) or the machine e-biometric.